Tests that CipherSuites is not overridden when it is set.
(t *testing.T)
| 333 | |
| 334 | // Tests that CipherSuites is not overridden when it is set. |
| 335 | func (s) TestTLS_CipherSuitesOverridable(t *testing.T) { |
| 336 | ctx, cancel := context.WithTimeout(context.Background(), defaultTestTimeout) |
| 337 | defer cancel() |
| 338 | |
| 339 | testCases := []struct { |
| 340 | name string |
| 341 | serverTLS func() *tls.Config |
| 342 | }{ |
| 343 | { |
| 344 | name: "base_case", |
| 345 | serverTLS: func() *tls.Config { |
| 346 | return &tls.Config{ |
| 347 | Certificates: []tls.Certificate{serverCert}, |
| 348 | CipherSuites: []uint16{tls.TLS_RSA_WITH_AES_128_CBC_SHA}, |
| 349 | } |
| 350 | }, |
| 351 | }, |
| 352 | { |
| 353 | name: "fallback_to_base", |
| 354 | serverTLS: func() *tls.Config { |
| 355 | config := &tls.Config{ |
| 356 | Certificates: []tls.Certificate{serverCert}, |
| 357 | CipherSuites: []uint16{tls.TLS_RSA_WITH_AES_128_CBC_SHA}, |
| 358 | } |
| 359 | config.GetConfigForClient = func(*tls.ClientHelloInfo) (*tls.Config, error) { |
| 360 | return nil, nil |
| 361 | } |
| 362 | return config |
| 363 | }, |
| 364 | }, |
| 365 | { |
| 366 | name: "dynamic_using_get_config_for_client", |
| 367 | serverTLS: func() *tls.Config { |
| 368 | return &tls.Config{ |
| 369 | GetConfigForClient: func(*tls.ClientHelloInfo) (*tls.Config, error) { |
| 370 | return &tls.Config{ |
| 371 | Certificates: []tls.Certificate{serverCert}, |
| 372 | CipherSuites: []uint16{tls.TLS_RSA_WITH_AES_128_CBC_SHA}, |
| 373 | }, nil |
| 374 | }, |
| 375 | } |
| 376 | }, |
| 377 | }, |
| 378 | } |
| 379 | |
| 380 | for _, tc := range testCases { |
| 381 | t.Run(tc.name, func(t *testing.T) { |
| 382 | // Create server that allows only a forbidden cipher suite. |
| 383 | serverCreds := credentials.NewTLS(tc.serverTLS()) |
| 384 | ss := stubserver.StubServer{ |
| 385 | EmptyCallF: func(context.Context, *testpb.Empty) (*testpb.Empty, error) { |
| 386 | return &testpb.Empty{}, nil |
| 387 | }, |
| 388 | } |
| 389 | |
| 390 | // Create server that allows only a forbidden cipher suite. |
| 391 | clientCreds := credentials.NewTLS(&tls.Config{ |
| 392 | ServerName: serverName, |